From: Serge Hallyn <serge.hallyn@gmail.com>
To: selinux@tycho.nsa.gov
Subject: learning about policies/transitions
Date: Wed, 3 Nov 2004 10:45:30 -0600 [thread overview]
Message-ID: <46ce702f041103084530fe8539@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1156 bytes --]
Hi,
I've been trying (on and off for some time) to get a very simple
test policy working on a FC2 selinux system. I just want it to have
the following types:
boot_d: default domain
login_d: domain automatically entered by /bin/login
user_d: domain voluntarily entered by login_d
obj_t: type for all fs objects
login_et: type for /bin/login
The policy files are attached. I did
checkpolicy -o basic.bin basic.pol
cp basic.bin /etc/security/selinux/policy.17
(boot with selinux=0)
setfiles basic.ctx /
Doing these same steps with /etc/security/selinux/src/policy/policy.conf
and /etc/security/selinux/src/policy/file_contexts/file_contexts
results in a working selinux system.
With my basic policy, though, boot_d will not transition to login_d
on execution of /bin/login. ls -Z /bin/login shows that it is labeled
as login_et. Since logging in doesn't work, I test by booting single
user mode, and running
ps -Z
[everything is running under boot_d]
/bin/login & ps -Z
[login is running under boot_d]
What am I missing in the policy that would enable this automatic
domain transition to happen?
thanks,
-serge
[-- Attachment #2: basic.pol --]
[-- Type: application/octet-stream, Size: 10411 bytes --]
#SELinux Policy:
#Modules applied: basic
#Security Object classes
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc
#
# userspace object manager classes
#
# passwd/chfn/chsh
class passwd
# SE-X Windows stuff
class drawable
class window
class gc
class font
class colormap
class property
class cursor
class xclient
class xinput
class xserver
class xextension
#Initial sids
# FLASK
#line 1 "flask/initial_sids"
# FLASK
#
# Define initial security identifiers
#
sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull
#Access vectors
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}
class file
inherits file
{
execute_no_trans
entrypoint
}
class lnk_file
inherits file
class chr_file
inherits file
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
use
}
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
newconn
acceptfrom
node_bind
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
}
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
}
class capability
{
# The capabilities are defined in include/linux/capability.h
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
}
class passwd
{
passwd
chfn
chsh
rootok
}
class drawable
{
create
destroy
draw
copy
getattr
}
class gc
{
create
free
getattr
setattr
}
class window
{
addchild
create
destroy
map
unmap
chstack
chproplist
chprop
listprop
getattr
setattr
setfocus
move
chselection
chparent
ctrllife
enumerate
transparent
mousemotion
clientcomevent
inputevent
drawevent
windowchangeevent
windowchangerequest
serverchangeevent
extensionevent
}
class font
{
load
free
getattr
use
}
class colormap
{
create
free
install
uninstall
list
read
store
getattr
setattr
}
class property
{
create
free
read
write
}
class cursor
{
create
createglyph
free
assign
setattr
}
class xclient
{
kill
}
class xinput
{
lookup
getattr
setattr
setfocus
warppointer
activegrab
passivegrab
ungrab
bell
mousemotion
relabelinput
}
class xserver
{
screensaver
gethostlist
sethostlist
getfontpath
setfontpath
getattr
grab
ungrab
}
class xextension
{
query
use
}
type obj_t;
type secret_t;
type login_et;
type shell_t;
type boot_d;
type login_d;
type user_d;
role system_r types obj_t;
role system_r types secret_t;
role system_r types login_et;
role system_r types shell_t;
role system_r types boot_d;
role system_r types login_d;
role system_r types user_d;
allow boot_d login_et:file { read execute getattr };
allow boot_d login_et:fd use ;
allow user_d obj_t:security { compute_av load_policy compute_create compute_relabel compute_user setenforce setbool compute_member check_context };
allow user_d obj_t:passwd { passwd chsh rootok chfn };
allow boot_d shell_t:file { read execute getattr };
allow user_d secret_t:file { append create entrypoint getattr relabelfrom ioctl link lock mounton rename quotaon swapon setattr read unlink relabelto write execute_no_trans execute };
allow boot_d obj_t:security { compute_av load_policy compute_create compute_relabel compute_user setenforce setbool compute_member check_context };
allow boot_d obj_t:passwd { passwd chsh rootok chfn };
allow login_d shell_t:file { read execute getattr };
allow user_d shell_t:file { read execute getattr };
allow user_d login_et:file { read execute getattr };
allow login_d obj_t:security { compute_av load_policy compute_create compute_relabel compute_user setenforce setbool compute_member check_context };
allow login_d obj_t:passwd { passwd chsh rootok chfn };
allow login_d login_et:file { read execute getattr };
allow login_d login_et:file entrypoint;
allow login_d login_et:fd use;
allow login_d obj_t:file { read execute getattr };
allow login_d obj_t:dir { read getattr lock search ioctl };
allow boot_d obj_t:dir { read getattr lock search ioctl };
allow login_d obj_t:fd use;
allow user_d shell_t:file entrypoint;
allow boot_d login_d:process transition;
type_transition boot_d login_et:process login_d;
allow login_d user_d:process transition;
#Initial sid contexts
user system_u roles system_r;
sid kernel system_u:system_r:boot_d
sid security system_u:system_r:obj_t
sid unlabeled system_u:system_r:obj_t
sid fs system_u:system_r:obj_t
sid file system_u:system_r:obj_t
sid file_labels system_u:system_r:obj_t
sid init system_u:system_r:obj_t
sid any_socket system_u:system_r:obj_t
sid port system_u:system_r:obj_t
sid netif system_u:system_r:obj_t
sid netmsg system_u:system_r:obj_t
sid node system_u:system_r:obj_t
sid igmp_packet system_u:system_r:obj_t
sid icmp_socket system_u:system_r:obj_t
sid tcp_socket system_u:system_r:obj_t
sid sysctl_modprobe system_u:system_r:obj_t
sid sysctl system_u:system_r:obj_t
sid sysctl_fs system_u:system_r:obj_t
sid sysctl_kernel system_u:system_r:obj_t
sid sysctl_net system_u:system_r:obj_t
sid sysctl_net_unix system_u:system_r:obj_t
sid sysctl_vm system_u:system_r:obj_t
sid sysctl_dev system_u:system_r:obj_t
sid kmod system_u:system_r:obj_t
sid policy system_u:system_r:obj_t
sid scmp_packet system_u:system_r:obj_t
sid devnull system_u:system_r:obj_t
fs_use_xattr ext2 system_u:system_r:obj_t;
#non-xattr, non-persistant filesystems
genfscon proc / system_u:system_r:obj_t
genfscon sysfs / system_u:system_r:obj_t
genfscon selinuxfs / system_u:system_r:obj_t
[-- Attachment #3: basic.ctx --]
[-- Type: application/octet-stream, Size: 244 bytes --]
/bin/login system_u:system_r:login_et
/bin/sh system_u:system_r:shell_t
/bin/csh system_u:system_r:shell_t
/bin/tcsh system_u:system_r:shell_t
/secret_file system_u:system_r:secret_t
/ system_u:system_r:obj_t
/.+ system_u:system_r:obj_t
next reply other threads:[~2004-11-03 16:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-03 16:45 Serge Hallyn [this message]
2004-11-03 19:29 ` learning about policies/transitions Stephen Smalley
2004-11-04 16:20 ` Serge Hallyn
2004-11-04 17:11 ` Stephen Smalley
2004-11-05 2:23 ` Serge Hallyn
2004-11-05 12:26 ` Stephen Smalley
2004-11-15 16:12 ` Serge Hallyn
2004-11-15 16:38 ` Stephen Smalley
2004-11-15 17:07 ` Serge Hallyn
2004-11-15 17:28 ` Stephen Smalley
2004-11-15 18:03 ` Serge Hallyn
2004-11-23 4:21 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46ce702f041103084530fe8539@mail.gmail.com \
--to=serge.hallyn@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.